| 2019-10-29 12:11:10 |
Balazs Gibizer |
description |
At the start of the move operation the nova-api checks that the server has ports with resource request as some of the move operations are not supported for such servers yet. Unfortunately if move the operation is called by a non-admin user (either it is a resize, or another move operation with explicit policy change) then nova uses the non-admin token to query neutron. If the neutron port is queried with a non admin token then neutron does not return the resource_request to nova in the port response. Therefore nova thinks that the port ha no resource request and allows the operation.
Reproduce in Ussuri
===================
* Boot a server with qos port.
* Change the nova policy to allow evacuate to be called by the owner of the server "os_compute_api:os-evacuate": "rule:admin_or_owner"
* stop the nova-compute service on the host where the server currently running and wait until the controller decides that the compute is done
* with the non-admin owner initiate the evacuate of the server
Expected:
* evacuate rejected
Actual:
* evacuate accepted (and later fail due to missing implementation)
Triage
======
Due to [1] not using an admin client nova does not get the resource requests of the attached ports.
Affected versions and operations
================================
* Ussuri: evacute, live migrate, unshelve
* Train: evacuate, live migrate, unshelve (resize and cold migrate is supported so the faulty check is not there any more)
* Stein: resize, migrate, evacuate, live migrate, unshelve
* Rocky or older: Not applicable as booting server with qos ports is implemented in Stein.
[1] https://github.com/openstack/nova/blob/9742a64403c0a0ae5e0b37df5b0bf3ba14ac4626/nova/api/openstack/common.py#L576 |
At the start of the move operation the nova-api checks that the server has ports with resource request as some of the move operations are not supported for such servers yet. Unfortunately if move the operation is called by a non-admin user (either it is a resize, or another move operation with explicit policy change) then nova uses the non-admin token to query neutron. If the neutron port is queried with a non admin token then neutron does not return the resource_request to nova in the port response. Therefore nova thinks that the port ha no resource request and allows the operation.
Reproduce in Ussuri
===================
* Boot a server with qos port.
* Change the nova policy to allow evacuate to be called by the owner of the server "os_compute_api:os-evacuate": "rule:admin_or_owner"
* stop the nova-compute service on the host where the server currently running and wait until the controller decides that the compute is done
* with the non-admin owner initiate the evacuate of the server
Expected:
* evacuate rejected
Actual:
* evacuate accepted (and later fail due to missing implementation)
Triage
======
Due to [1] not using an admin client nova does not get the resource requests of the attached ports.
Affected versions and operations
================================
The resize, migrate, live migrate, evacuate, unshelve opertaions are affected on master, Train, Stein.
[1] https://github.com/openstack/nova/blob/9742a64403c0a0ae5e0b37df5b0bf3ba14ac4626/nova/api/openstack/common.py#L576 |
|
